NSA key in MSFT Crypto API

1999-09-03 Thread Lucky Green

Andrew Fernandes tonight published the results of his reverse engineering of
Microsoft's Crypto API (CAPI). [This builds on work done by Nicko van
Someren from nCipher].

Background: MSFT CAPI comes pre-installed with two keys used to check the
validity of a Cryptographic Service Provider (CSP). The holder of either key
can install operating system security services without user authorization.
The first key is used by MSFT to sign their own security services modules.
The identity of the second key holder until now been unknown. That is to say
until MSFT forgot to strip the binary of NT4 SP5 off debugging symbols.

Perhaps not surprisingly, the debugging symbol for the second key is...
_NSAKEY,

For more information and a program to remove the NSA's key from your copy of
Windows 95, 98, NT, 2000, see
http://www.cryptonym.com/hottopics/msft-nsa.html

Note that Windows 2000 includes not just two keys, but three keys that can
sign modules that will control security services on your copy of Windows.

Word has it that the third key belongs to the FBI. So far, there has been no
independent confirmation of this rumor.

--Lucky Green [EMAIL PROTECTED]




RE: NSA key in MSFT Crypto API

1999-09-03 Thread Salz, Rich

For more information and a program to remove the NSA's key from your copy
of
Windows 95, 98, NT, 2000, see
http://www.cryptonym.com/hottopics/msft-nsa.html

Perhaps more interestingly, the program lets you replace the key, too.
It requires no special privileges -- just uses some undocumented API's.

It would be ...interesting... for someone to combine that program with
Melissa, where the body of the messages was a public/private keypair.
/r$



RE: NSA key in MSFT Crypto API

1999-09-03 Thread William H. Geiger III

In [EMAIL PROTECTED],
on 09/03/99 
   at 11:49 AM, "Trei, Peter" [EMAIL PROTECTED] said:


The ability to replace the NSA key with another
is an extremely serious vulnerability. This means that
*anyone* - not just the NSA - can write a compromised
module and install it on the target, as long as they
also replace the NSA key with the one they used to
sign the weakened module.

Tripwire, anyone?

It's very simple, DO NOT USE WINDOWS!!

This is a compromise in only one API. God only knows what they have done
to compromise security in the millions of lines of code that no one
outside of Redmond has ever seen.

Windows is compromised!! Microsoft is in bed with the Federal Government.
There is *no* security on a system running their software. Those who
continue to do so get exactly what they deserve.

-- 
---
William H. Geiger III  http://www.openpgp.net
Geiger ConsultingCooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP  MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---




RE: NSA key in MSFT Crypto API

1999-09-03 Thread Trei, Peter

The ability to replace the NSA key with another
is an extremely serious vulnerability. This means that
*anyone* - not just the NSA - can write a compromised
module and install it on the target, as long as they
also replace the NSA key with the one they used to
sign the weakened module.

Tripwire, anyone?

Peter Trei


 --
 From: Salz, Rich[SMTP:[EMAIL PROTECTED]]
 Sent: Friday, September 03, 1999 10:42 AM
 To:   'Lucky Green'; cypherpunks@Algebra. COM
 Cc:   Cryptography@C2. Net; [EMAIL PROTECTED]
 Subject:  RE: NSA key in MSFT Crypto API
 
 For more information and a program to remove the NSA's key from your copy
 of
 Windows 95, 98, NT, 2000, see
 http://www.cryptonym.com/hottopics/msft-nsa.html
 
 Perhaps more interestingly, the program lets you replace the key, too.
 It requires no special privileges -- just uses some undocumented API's.
 
 It would be ...interesting... for someone to combine that program with
 Melissa, where the body of the messages was a public/private keypair.
   /r$
 



More details on Operation Broken Glass

1999-09-03 Thread Robert Hettinga

Looks like last night was a kind of crypto-Kristallnacht, ja?

Cheers,
RAH
(Who's not too shameless to plug FC00, here, in light of the Nicko 
and Adi's URL, below)
--- begin forwarded text


Date: Fri, 3 Sep 1999 10:03:57 -0700
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: Greg Broiles [EMAIL PROTECTED]
Subject:  Re: Warning about Installation of Software -- Don't be fooled by
   NSA
To: [EMAIL PROTECTED]

At 09:33 AM 9/3/99 , David Lesher wrote:
  and I respectfully ask all the smart computer-savvy folks who read this
  message to check out this rumor and confirm whether it is a hoax, or
 whether
  it is for real.  Your imput and wisdom is greatly appreciated.

But note that the meat of the story requires you do no such thing.

(More importantly, I can not see his claimed Crypto 99 rump session
talk on the schedule)

I spoke with a friend last night who attended the rump session at Crypto,
who confirmed that the talk was given.

The existence of the second key was discovered by a crypto researcher who
had the insight that looking inside the executable for areas of unusually
high entropy might prove revealing - he found two such areas, each1024 bits
long (exactly the length of the Crypto API public key), where the design of
Crypto API would only have required one .. leading to further investigation
and disassembly of the code.

One approach to independent verification would be to repeat the initial
investigation - look through the RSABASE.DLL file in your \WINDOWS\SYSTEM
directory looking for relatively high-entropy sequences. A paper describing
this technique is available at
http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf, and C
code purporting to implement that seach is available at
http://www.hedonism.demon.co.uk/paul/download/ncheck.c.


--
Greg Broiles
[EMAIL PROTECTED]
PGP: 0x26E4488C

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: [dc-sage] Microsoft, the NSA, and you... (fwd)

1999-09-03 Thread Robert Hettinga


--- begin forwarded text


Date: Fri, 3 Sep 1999 16:32:38 -0400
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: David Lesher [EMAIL PROTECTED]
Subject:  Re: [dc-sage] Microsoft, the NSA, and you... (fwd)
To: [EMAIL PROTECTED]

This is long and nerdy, but think it's worthwhile.

Bugtraq, in general, is a place real security types hang out,
although I can't speak re: Ross (As I don't claim to know more
than a few crypto types; draw no conclusion from that.) I'll
assume NTBugtraq is similar.

Here's the NTBUGTRAQ post
==

From [EMAIL PROTECTED] Fri Sep  3 16:01:34 1999
Date: Fri, 3 Sep 1999 15:57:43 -0400
From: Russ [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Alert: CryptoAPI and _NSAKey issue


-BEGIN PGP SIGNED MESSAGE-

This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp

Whoa horsie...

I had a long chat with Andrew Fernandes this morning, as well as
another chat with others, and of course I've had a ton of messages
sent my way with various links to various stories about the issue.

I wanted to get a few things straight before I sent this message, but
given how quickly things are spreading it makes sent to send something
interim.

Ok, so here's what I can tell you.

1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA
is based on;

a) The variable is called "NSA".

b) Its a second key, not known to exist in Windows previously.

c) What possible purpose would a second key serve?

d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on
his website at http://www.cryptonym.com/hottopics/msft-nsa.html,
I'll elaborate more later.

2. Sources close to Microsoft say that the key is a "Backup" key. It
is owned by Microsoft, and only Microsoft have the private key to it.
The key was named "_NSAKEY" because the NSA insisted that Microsoft
include a backup key in their CryptoAPI before the Commerce Department
would approve its inclusion in NT 4.0.

Editorial
- -

There's a bunch of somewhat understandable furor going on over the
idea that the NSA might have a backdoor to Windows. Unfortunately,
however, all of this is based on a variable name. Anyone who programs
knows that variables might get named anything for a variety of
reasons. One would expect that they would be named descriptively, but
alas, not everyone follows such stringent conventions (can you spell
"Easter Egg"?).

The Conspiracy Theorist's theory goes;
- -

- - The NSA has a signing key on your box.

- - The NSA can implant a Trojan to replace the module which performs
encryption on your box with one that doesn't perform encryption, and
because the failure of signature verification against Microsoft's key
is silent, they can get their trojan'd app up and running without you
being any the wiser.

- - The NSA can then sniff your traffic, now being conducted in
plain-text.

There's obviously a ton of variations possible on this theory, they
take your private key, they replace your key with another, etc...

They only have to get a Trojan to you and get you to run it, and as
those same Conspiracy Theorists always say, speculationthere's
likely bugs in the OS designed to allow them to do
this.../speculation

Yeah, could be true.

My take from Microsoft's Perspective;
- 

- - We want to have one build of our products that simultaneously
supports weak or strong encryption functionality.

- - We want to be able to ship this one product world-wide, changing as
few bits as possible for those that are being shipped outside the U.S.
and Canada.

- - We'll build an API (good, bad, or otherwise) that allows the
controlled bits to be inserted into an infrastructure, then get the
infrastructure approved, and all will be good.

- - Commerce (with advice from lots of people including the NSA),
agrees, and tells Microsoft they have to sign everything that can use
the infrastructure. That way, Microsoft can ship its product anywhere,
and Commerce will know that only those products that have been signed
by Microsoft will be able to run on the OS.

- - You want to build a Cryptographic Service Provider (CSP), the module
that performs the encryption, you gotta get Microsoft to sign it for
it to run. Microsoft doesn't sign anything that doesn't have the
appropriate Commerce Department Export approvals first.

Wonderful, life's good, Microsoft doesn't have to manage multiple
versions based on Crypto-strength, folks can implement whatever crypto
they want (assuming its Commerce approved).

Oh, the second key, I almost forgot;
- ---

I'm told the NSA insisted there had to be a backup. No explanation as
to why yet, that's what I've been told. One theory that made a lot of
sense to me was the simple idea of;

What happens if 

Policy page redux?

1999-09-03 Thread Robert Hettinga

Shades of the plaintext-embedded-in-the-executable Netscape "policy page"?

Or is it just more stupid Microsoft crypto programming?

Father Occam prefers the latter, but you never know...

Cheers,
RAH

--- begin forwarded text


Date: Fri, 3 Sep 1999 15:34:04 -0300
Reply-To: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
Sender: Law  Policy of Computer Communications 
[EMAIL PROTECTED]
From: "Peter D. Junger" [EMAIL PROTECTED]
Subject:  Re: FW: Warning about Installation of Software -- Don't be fooled
   by NSA Rumors
To: [EMAIL PROTECTED]
Status: U

Mark Shea writes:

: There is a discussion of this issue at
: http://www.slashdot.org/articles/99/09/03/0940241.shtml
: http://www.slashdot.org/articles/99/09/03/0940241.shtml  today. One of the
: more informed and thoughtful posts (IMHO) was from a Windows coder who has
: been working with this API for over a year. His/her comments can be seen at
: http://www.slashdot.org/comments.pl?sid=99/09/03/0940241
: http://www.slashdot.org/comments.pl?sid=99/09/03/0940241cid=56 cid=56 .
: I recommend, however, you take a look at the whole discussion. It is fairly
: lively.

I always get lost on /. but I was able to read some of the messages and
some of the original material posted on the Internet.

Apparently this bit of stupidity is more of an opportunity than a threat.

As I understand it, the various versions of MSWindows include a Crypto
Applications Program Interface---I don't really know about this, being
much to snobbish to use Microsoft products---where one can plug in
encryption modules.  But the government would not let Microsoft export
its Windows systems with this API unless it was crippled so that one
could not plug in strong crypto.  So the solution was to require that
any crypto software installed on a MSWindows machine had to be signed by
Microsoft using a public key.  (I'm not quite sure of the type of key that
was used.)  So this crypto API contains a key that can be used to make
sure that Microsoft has signed an appplication, and if an application
is strong crypto it won't be signed by Microsoft and thus will not run
under MSWindows.

If you remove this Microsoft key from your Windows box, then you can't
run any crypto applications (that use the crypto API).

But now it turns out that some genius added a second key, called
apparently the NSAKEY, to the API and that a crypto apllication will
run if it is signed by either of the keys.  You can remove the NSAKEY
and anything signed by Microsoft will still run, but programs signed by
NSA won't run (unless, I guess, they are also signed by Microsoft).

And---and this is the good part---you can not only remove the NSAKEY,
you can replace it with your own key, and then run any crypto applications
programs that you want, no matter how strong!

This effectively allows one to ignore the export controls on crypto
applications that run on MSWindows.

At least that is my understanding.

If I am right, the question becomes whether the replacable second key
is the result of stupidity---or of sabotage.

--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
  EMAIL: [EMAIL PROTECTED]URL:  http://samsara.law.cwru.edu
 NOTE: [EMAIL PROTECTED] no longer exists

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



IP: Microsoft Letting Government Snoop

1999-09-03 Thread Robert Hettinga


--- begin forwarded text


From: "Dan S" [EMAIL PROTECTED]
To: "isml" [EMAIL PROTECTED]
Subject: IP: Microsoft Letting Government Snoop
Date: Fri, 3 Sep 1999 20:33:46 -0400
Sender: [EMAIL PROTECTED]
Reply-To: "Dan S" [EMAIL PROTECTED]

From http://www.news-real.com/apnews/19990903/21/01/5687004_st.html
-
Microsoft Letting Government Snoop
Associated Press

  WASHINGTON (AP) -- [ Microsoft Corp. ] sought to assure consumers Friday
that it did not insert a secret backdoor in its popular Windows software to
allow the U.S. government to snoop on their sensitive computer data.

The sensational charge of a quiet alliance between Microsoft and the U.S.
National Security Agency came after a Canadian programmer stumbled across an
obscure digital "signing key" that had been labeled the "NSA key" in the
latest version of Microsoft's business-level Windows NT software.

An organization with such a signature key accepted by Windows could
theoretically load software to make it easier to look at sensitive data --
such as e-mail or financial records -- that had been scrambled. The flaw
would affect almost any version of Windows, the software that runs most of
the world's personal computers.

Microsoft forcefully denied that it gave any government agency such a key,
and explained that it called its function an "NSA key" because that federal
agency reviews technical details for the export of powerful data-scrambling
software.

"These are just used to ensure that we're compliant with U.S. export
regulations," said Scott Culp, Microsoft's security manager for its Windows
NT Server software. "We have not shared the private keys. We do not share
our keys."

The claim against Microsoft, originally leveled by security consultant
Andrew Fernandes of Ontario on his Web site, spread quickly in e-mail and
discussion groups across the Internet, especially in those corners of
cyberspace where Microsoft and the federal government are often criticized.

Culp called Fernandes' claims "completely false."

An NSA spokesman declined immediate comment.

Bruce Schneier, a cryptography expert, said the claim by Fernandes "makes no
sense" because a government agency as sophisticated as the NSA doesn't need
Microsoft's help to unscramble sensitive computer information.

"That it allows the NSA to load unauthorized security services, compromise
your operating system -- that's nonsense," said Schneier, who runs
Counterpane Internet Security Inc. "The NSA can already do that, and it has
nothing to do with this."

Fernandes, who runs a small consulting firm in Canada, said he found the
suspiciously named "NSA key" -- along with another key for Microsoft --
while examining the software code within the latest version of Windows NT.

The existence of the second key was discovered earlier by other
cryptographers, but Fernandes was the first to find its official name and
theorize about its purpose.

"That (the U.S. government) has ... installed a cryptographic back door in
the world's most abundant operating system should send a strong message to
foreign (information technology) managers," he warned on his Web site.

But Fernandes seemed less worried Friday in a telephone interview.

"I don't know that they have reason to lie," he said. "The main point is,
you can't really trust what they're saying. They've been caught with their
hand in the cookie jar. In fact, I think they're being fairly honest, but
you don't know what else is in Windows."

Publication Date: September 03, 1999
Powered by NewsReal's IndustryWatch

--
Dan S



**
To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address
**
www.telepath.com/believer
**

--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: NSA key in MSFT Crypto API

1999-09-03 Thread Anonymous

Wired.com:

 "The key is a Microsoft key -- it is not shared with any party including
 the NSA," said Windows NT security product manager Scott Culp. "We don't
 leave backdoors in any products."

 "The only thing that this key is used for is to ensure that only those
 products that meet US export control regulations and have been checked can
 run under our crypto API (application programming interface)," Culp said.

 "It does not allow anyone to start things, stop services, or allow
 anything [to be executed] remotely," he said.

 "It is used to ensure that we and our cryptographic partners comply with
 United States crypto export regulations. We are the only ones who have
 access to it."

So is this NSAKEY actually used to validate ay CSPs?  Are there CSPs
out there which depend on this key, CSPs which have passed crypto
export review?  If so, the claims that the key can be removed without
impact are false.  If not, Carp's explanation cannot be believed.

Someone should ask Carp if export-approved CSPs use this NSAKEY, as
he implies.  If they don't, and if export-approved CSPs are signed with
the regular Microsoft key instead, he should be made to explain what
exactly this key is used for.



RE: NSA key in MSFT Crypto API

1999-09-03 Thread Tim Dierks

It's not clear to me why being able to sign CSP modules is a risky thing
anyway; all it means is that Windows will load and execute your crypto. The
mechanism is designed to keep overseas end users from being able to build
and install strong crypto libraries. If the NSA has a key, all they can do
is vouch for their libraries as export-qualified and thus enable their use.

It's not a secret backdoor or anything, and modules need to be on the
machine before their signatures are checked. If I can get you to execute
code on our Windows machine, I can penetrate your security, period. These
authorizing signatures have nothing to do with it.

Even if the key belongs to the NSA, I suspect that the NSA just wanted to be
able to load classified Crypto Service Providers into Windows and didn't
want to have to send said classified software to Microsoft for approval, so
they got the key installed so they could approve software in house.

 - Tim

Tim Dierks
VP of Engineering, Certicom
[EMAIL PROTECTED]
510.780.5409 [Hayward] -- 905.501.3791 [Mississauga]




RE: NSA key in MSFT Crypto API

1999-09-03 Thread Lucky Green

On Fri, 3 Sep 1999, Tim Dierks wrote:
 
 Even if the key belongs to the NSA, I suspect that the NSA just wanted to be
 able to load classified Crypto Service Providers into Windows and didn't
 want to have to send said classified software to Microsoft for approval, so
 they got the key installed so they could approve software in house.

Classified crypto is done in secure hardware. Any hypothetical CSP's the
NSA needs to install on their own machines would not contain classified
algorithms. Hence the NSA could submit them to Microsoft for signing.

I am afraid the NSAKEY in CAPI has a different purpose than allowing the
NSA to secure their own communications.

-- Lucky Green [EMAIL PROTECTED] PGP v5 encrypted email preferred.




Re: NSA key in MSFT Crypto API

1999-09-03 Thread Matt Blaze

Here's what I said about this on another list:

I must admit that this doesn't make much sense to me.

I was at Crypto, but I must have missed the rump session talk in question
(and it's entirely possible that the talk occurred anyway - I was out of the
room for a good deal of that session).  In any case, non-Crypto people should
remember that the "rump session" consists of entirely entirely unreviewed talks
each lasting about five minute.  It is *not* a peer-refereed part of the
Crypto conference, just a place for people to announce new or minor results.
It is very easy to get a rump session slot, and people say bogus things at
the rump session all the time.

That said, I don't understand the point.  If the NSA wanted Microsoft to
quietly compromise the CAPI install mechanism (which is supposed to
require Microsoft's digital signature on the installed module -
thereby preventing the installation of non-US crypto and allowing CAPI
OS's to be exported), it would be *much* easier to do any of the following:
- Convince MS to tell them the secret key for MS's signature key
- Get MS to sign an NSA-compromised module.
- Install some module other than CAPI to compromise the OS (only
  CAPI modules require the signature).

Regardless of the mechanism used, NSA still would still have to
convince the owner of the computer in question to install the
compromised module (perhaps by exploiting one of the other bugs in the
OS, which is admittedly probably easy enough to do).

Finally, assuming that MS has two public CAPI-install keys in windows,
and someone discovered this, how would they know that one of the corresponding
secret keys is held by NSA?  From looking at the web page in question,
it appears that the evidence consists entirely of the fact that one of the
CAPI keys has an internal symbol name of "_NSAKEY".  Since anyone
with a debugger and a copy of an MS OS can find this symbol, if this is
intended as some kind of covert mechanism, it's not very well hidden.

-matt



Re: NSA key in MSFT Crypto API

1999-09-03 Thread John Gilmore

 http://www.cryptonym.com/hottopics/msft-nsa.html
 
 Perhaps more interestingly, the program lets you replace the key, too.

Microsoft prevents third parties from installing un-authorized crypto
code under CAPI by checking the signature on the code.  Under their
export deal, they refuse to sign anyone's non-US code that does strong
crypto.  So if you want to add your own strong crypto, you need to sign
it with a key that the CAPI recognizes.  You could patch out Microsoft's
key but then the Microsoft modules won't load properly.  It works
better to patch out NSA's key with your own -- then you can load both
your own crypto code and all the standard MS stuff.

John




Paul Brown on Solitiare randomness flaw?

1999-09-03 Thread Dave Del Torto

Does anyone (or you, Bruce?) have a URL handy to/for an paper (by 
Paul Brown in the UK?) speculating on a RNG weakness in Solitiare's 
(Bruce's playing card cipher)? I've been searching the web 
unsuccessfully. The paper may mention it as "Pontifex", as it was 
referred to in "Cryptonomicon." The implication is that it may not be 
as secure as I'd hoped, and that I should *not* train some human 
rights people on how to use it in the field...

TIA,

dave


"Riding tandem with the random, things don't work the way I've planned 'em."
   --Peter Gabriel ("Humdrum")